Honeypots mailing list archives

Previous By Date Next
Previous By Thread Next

honeyd on windows

From: "JaY Lakhani" <jaylakhani () hotmail com>
Date: Thu, 02 Mar 2006 04:35:44 +0000
I am wanting to run a windows version of honeyd, I am also using honeyd on linux 

No problems on linux

In windows The IP addresses are as follows

Firewall 10.10.10.254

Windows HOST 10.10.10.200 ( physical machine that runs vmware workstation)
Windows GUEST 10.10.10.201 ( on vmware)
Honeyd running on WINDOWS guest 10.10.10.10
( I have a static arp entry on the firewall for this address to point to the guests mac) 



Here is the command line I use to run honeyd
c:\honeyd -d -p C:\honeyd\nmap.prints -x C:\honeyd\xprobe2.conf -a C:\honeyd\nmap.assoc -f c:\honeyd\honeyd.conf -i 2 10.10.10.10 

I have also tried it without the IP in the end
c:\honeyd -d -p C:\honeyd\nmap.prints -x C:\honeyd\xprobe2.conf -a C:\honeyd\nmap.assoc -f c:\honeyd\honeyd.conf -i2 


This is the message I get when i run it,
listening on \Device\NPF_{365789CA-7C7A-4645-A1CA-DDBE7BDCC4A3}: ip and {dst 10.10.10.10} and not ether 00:00:0c:29:0a:13:2f
I am not sure why it says "not ether 00:00:0c:29:0a:13:2f"; and hope thats not part of my problem
"\Device\NPF_{365789CA-7C7A-4645-A1CA-DDBE7BDCC4A3}" matches with interface 2 when I used WINDUMP -D 


So far no problems,

I try to ping my honeyd target from the firewall,

in the honeyd window i get a message saying

Sending ICMP Echo Reply: 10.10.10.10 -> 10.10.10.254

On the firewall I get a message sayin:

10.10.10.10 NO response received -- 1000ms


So i ran Ethereal while pinging 10.10.10.10 (honeyd IP  on the GUEST OS)


In Ethereal packet capture,
when the vmware guest machine (10.10.10.201) running honeyd sends an arp broadcast for the honeyd target ip(10.10.10.10) 
it doesnot get a response back and the address it shows for
SOURCE IP 10.10.10.201
SOURCE MAC: 00:00:0c:29:0a:13:2f (right MAC address)
TARGET IP : 10.10.10.10
TARGET MAC: 00:00:00:00:00:00

the arp entry stays incomplete
I have tried to hard code a arp entry in the windows guest OS, still the same results I have tried all of the above on WIN XP and WIN 2k ( win xp with SP 2 broke things even more, so killed sp2 and sp1), still the same problems
So it seems like somehow the mac address of the guest OS needs to be tied to the honeyd target IP 

Any help to make this run would be great.
I run the same exact config file and IP's on a suse machine and it runs just fine. 

Thanks a lot
Previous By Date Next
Previous By Thread Next

Current thread: